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Abstract 

We  focus  on  automated  revision  techniques  for 
adding  Unity  properties  to  distributed  programs. 
We  show  that  unlike  centralized  programs  where  mul¬ 
tiple  safety  properties  and  one  progress  property  can 
be  added  in  polynomial-time,  addition  of  a  safety  or 
a  progress  Unity  property  to  distributed  programs  is 
significantly  more  difficult.  Precisely,  we  show  that 
such  addition  is  NP-complete  in  the  size  of  the  given 
program’s  state  space.  We  also  propose  an  efficient 
symbolic  heuristic  for  addition  of  a  leads-to  property 
to  distributed  programs,  which  has  applications  in 
automated  program  synthesis. 

Keywords:  UNITY,  Distributed  programs, 
Revision,  Transformation,  Formal  methods. 

1  Introduction 

Program  correctness  is  an  important  aspect  and 
application  of  formal  methods.  Designing  pro¬ 
grams  to  be  correct-by-construction  is,  therefore, 
highly  valuable.  Taking  the  paradigm  of  correct-by- 
construction  to  extreme  leads  us  to  synthesizing  pro¬ 
grams  from  their  specification.  While  synthesis  from 
specification  is  undoubtedly  useful,  it  suffers  from 
lack  of  reuse,  limitation  of  expressibility  of  specifi¬ 
cation  used  during  synthesis  (e.g.,  in  case  of  unde- 
cidable  or  highly  complex  languages),  and  inability 
to  utilize  human  knowledge  (e.g.,  domain  expertise). 
Alternatively,  in  program  revision  one  can  transform 
an  input  program  into  an  output  program  that  meets 
additional  properties.  As  a  matter  of  fact,  in  prac¬ 
tice,  such  properties  are  frequently  identified  during 
a  system’s  life  cycle  due  to  reasons  such  incomplete 
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specification,  change  of  environment,  etc.  As  a  con¬ 
crete  example,  consider  the  case  where  a  program  is 
diagnosed  with  a  failed  property  by  a  model  checker. 
In  such  a  case,  access  to  automated  methods  that  re¬ 
vise  the  program  with  respect  to  the  failed  property 
is  highly  advantageous.  Clearly,  transformational 
approaches  that  provide  reuse  allows  human  exper¬ 
tise  to  be  used  in  the  design  of  input  program,  and 
permits  use  of  expressive  specifications  during  the 
design  of  the  input  program.  Inevitably,  for  such 
revision  to  be  useful,  in  addition  to  satisfaction  of 
new  properties,  the  output  program  must  preserve 
existing  properties  of  the  input  program  as  well. 

In  our  previous  work  in  this  context  [8],  we  fo¬ 
cused  on  revising  programs  with  respect  to  Unity  [7] 
properties  of  a  high  atomicity  {centralized)  program 
where  the  program  could  read  and  write  all  program 
variables  in  one  atomic  step.  We  emphasize  that, 
our  revision  method  in  [8]  ensures  that  during  re¬ 
vision,  satisfaction  of  all  existing  Unity  properties 
of  the  input  program  is  preserved.  In  particular,  we 
showed  that  adding  a  conjunction  of  Unity  safety 
properties  (i.e.,  unless,  stable,  and  invariant)  and  one 
progress  property  (i.e.,  leads-to  and  ensures)  can  be 
achieved  in  polynomial-time.  However,  we  showed 
that  the  problem  becomes  NP-complete  if  we  con¬ 
sider  addition  of  two  progress  properties.  The  rea¬ 
son  for  our  focus  on  Unity  properties  is  due  to  the 
fact  that  Unity  properties  have  been  found  highly 
valuable  in  describing  a  large  class  of  programs. 

In  this  paper,  we  shift  our  focus  to  distributed 
programs  where  processes  can  read  and  write  only 
a  subset  of  program  variables.  We  expect  the  con¬ 
cept  of  program  revision  to  play  a  more  crucial  role 
in  the  context  of  distributed  programs  due  to  the 
complex  structure  of  distributed  programs  where 
non- determinism  and  race  conditions  make  it  signif¬ 
icantly  difficult  to  assert  program  correctness.  We 
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find  somewhat  unexpected  results  about  the  com¬ 
plexity  of  adding  Unity  properties  to  distributed 
programs.  In  particular,  we  hnd  that  the  problem  of 
adding  only  one  Unity  safety  property  or  progress 
progress  property  to  distributed  programs  is  NP- 
complete  in  the  size  of  the  input  program’s  state 
space,  even  though  the  corresponding  problem  can 
be  solved  in  in  polynomial-time  for  centralized  pro¬ 
grams. 

The  knowledge  of  these  complexity  bounds  is  es¬ 
pecially  important  in  building  tools  for  incremental 
synthesis.  In  particular,  the  NP-completeness  re¬ 
sults  demonstrate  that  tools  for  revising  programs 
must  utilize  efficient  heuristics  to  expedite  the  revi¬ 
sion  algorithm  at  the  cost  of  completeness  of  that 
algorithm.  With  this  motivation,  in  this  paper,  we 
propose  an  efficient  symbolic  (BDD-based)  heuris¬ 
tic  that  adds  a  leads-to  property  to  a  distributed 
program.  We  integrate  this  heuristic  with  our 
tool  Sycraft  [6]  that  is  designed  for  adding  fault- 
tolerance  to  existing  distributed  programs.  Leads- 
to  properties  are  of  special  interest  in  fault-tolerant 
computing  where  recovery  within  a  finite  number  of 
steps  is  essential.  To  this  end,  one  can  first  aug¬ 
ment  the  program  with  all  possible  recovery  transi¬ 
tions  that  it  can  use.  Clearly,  this  augmented  pro¬ 
gram  does  not  guarantee  that  it  would  recover  to 
a  set  of  legitimate  states  (e.g.,  an  invariant  predi¬ 
cate)  although  there  is  a  potential  to  reach  the  legit¬ 
imate  states  from  states  reached  in  the  presence  of 
faults.  In  particular,  it  may  continue  to  execute  on 
a  cycle  that  is  entirely  outside  the  legitimate  states 
although  from  each  state  there  is  a  path  to  reach 
the  legitimate  states.  We  apply  our  heuristics  for 
adding  a  leads-to  property  to  modify  the  augmented 
program  so  that  from  any  state  reached  in  the  pres¬ 
ence  of  faults,  the  program  is  guaranteed  recovery  to 
its  legitimate  states  within  a  finite  number  of  steps. 
As  a  side  effect  of  the  tool  for  adding  leads-to  prop¬ 
erty,  we  also  implement  a  cycle  resolution  algorithm. 
Our  experimental  results  show  that  this  algorithm 
can  also  be  integrated  with  existing  state-of-the-art 
model  checkers  for  assisting  in  developing  programs 
that  are  correct-by-construction. 

Organization.  The  rest  of  the  paper  is  organized 
as  follows.  In  Section  2,  we  present  the  preliminary 
concepts.  Then,  we  formally  state  the  revision  prob¬ 
lem  in  Section  3.  Section  4  is  dedicated  to  complex¬ 
ity  analysis  of  addition  of  Unity  safety  properties 
to  distributed  programs.  In  Section  5,  we  present 


our  results  on  the  complexity  of  addition  of  Unity 
progress  properties.  We  also  present  our  symbolic 
heuristic  and  experimental  results  in  Section  5.  Re¬ 
lated  work  is  discussed  in  Section  6.  We  conclude 
in  Section  7.  Appendix  A  provides  a  summary  of 
notations. 

2  Preliminary  Concepts 

In  this  section,  we  formally  define  the  notion  of  dis¬ 
tributed  programs.  We  also  reiterate  the  concept  of 
Unity  properties  introduced  by  Chandy  and  Misra 

[7]. 

2.1  Distributed  Programs 

Intuitively,  we  dehne  a  distributed  program  in  terms 
of  a  set  of  processes.  Each  process  is  in  turn  specihed 
by  a  state-transition  system  and  is  constrained  by 
some  read/ write  restriction  over  its  set  of  variables. 

Let  V  =  {uo,  vi  ■  ■  -Vn}  be  a  finite  set  of  variables 
with  finite  domains  Dq^Di  -  ■  ■  Dn,  respectively.  A 
state,  say  s,  is  determined  by  mapping  each  variable 
Uj  in  U,  0  <  i  <  n,  to  a  value  in  Di.  We  denote  the 
value  of  a  variable  v  in  state  s  by  u(s).  The  set  of  all 
possible  states  obtained  by  variables  in  V  is  called 
the  state  space  and  is  denoted  by  5.  A  transition  is 
a  pair  of  states  of  the  form  (sq,  si)  where  sq;  •si  &  <S. 

Definition  2.1  (state  predicate)  Let  S  be  the 

state  space  obtained  from  variables  in  V.  A  state 
predicate  is  a  subset  of  5.  I 

Definition  2.2  (transition  predicate)  Let  S  be 

the  state  space  obtained  from  variables  in  V.  A  tran¬ 
sition  predicate  is  a  subset  of  5  x  <5.  ■ 

Definition  2.3  (process)  A  process  p  is  specified 
by  the  tuple  {Vp,  Tp,  Rp,  Wp)  where  Ip  is  a  set  of 
variables,  Tp  is  a  transition  predicate  in  the  state 
space  of  p  (denoted  Sp),  Rp  is  a  set  of  variables  that 
p  can  read,  and  Wp  is  a  set  of  variables  that  p  can 
write  such  that  Wp  C  Rp  CVp  (i.e.,  we  assume  that 
p  cannot  blindly  write  a  variable).  I 
Write  restrictions.  Let  p  =  {Vp,Tp,  Rp,Wp) 
be  a  process.  Clearly,  Tp  must  be  disjoint  from  the 
following  transition  predicate  due  to  inability  of  p  to 
change  the  value  of  variables  that  p  cannot  write; 

NW p  =  {(so,  si)  I  i;(so)  ^  t(si)  where  v  ^  Wp}. 

Read  restrictions.  Let  p  =  {Vp,Tp,  Rp,Wp)  be 
a  process,  r  be  a  variable  in  Vp,  and  (Sol'S!)  G  Tp 
where  sq  7^  si.  If  r  is  not  in  Rp,  then  p  must  include 
a  corresponding  transition  from  all  states  Sg  where 
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Sq  and  So  differ  only  in  the  value  of  v.  Let  (sq,s']^) 
be  one  such  transition.  Now,  it  must  be  the  case 
that  Si  and  s'^  are  identical  except  for  the  value  of  u, 
and,  the  value  of  v  must  be  the  same  in  Sq  and  s^ 
For  instance,  let  Vp  =  {a,  6}  and  Rp  =  {a}.  Thus, 
since  p  cannot  read  b,  the  transition  ([a  =  0,6  = 
0],[a  =  1,6  =  0])  and  the  transition  ([a  =  0,6  = 
1] ,  [a  =  1,6  =  1] )  have  the  same  effect  as  far  as  p 
is  concerned.  Thus,  each  transition  (so,si)  in  Tp  is 
associated  with  the  following  group  predicate: 

Group p{so,si)  =  {(so,s;)  | 

{Vv^Rp  :  {v{so)=v{si)  A  i;(so)  =  v(si)))  A 
{VveRp  :  {v{so)=v{sq)  A  i;(si)  =  v(s;)))}. 

Definition  2.4  (distributed  program)  A  dis¬ 
tributed  program  II  is  specified  by  the  tuple  {VuiRh) 
where  Vn  is  a  set  of  processes  and  Tn  is  a  set  of 
initial  states.  Without  loss  of  generality,  we  assume 
that  the  state  space  of  all  processes  in  Vn  is  identical 
(i.e.,  Vp,g  G  Vn  ::  {Vp  =  Vq)  A  {Dp  =  Dq)).  Thus, 
the  set  of  variables  (denoted  Vn)  and  state  space  of 
program  II  (denoted  iSn)  are  identical  to  the  set  of 
variables  and  state  space  of  processes  of  II,  respec¬ 
tively.  In  this  sense,  the  set  In  of  initial  states  of  II 
is  a  subset  of  5n.  I 

Notation.  Let  II  =  {Vu,Iu)  be  a  distributed  pro¬ 
gram  (or  simply  a  program) .  The  set  Tji  denotes  the 
collection  of  transition  predicates  of  all  processes  of 
n,  i.e.,  7n  =  [JpePn  '^P' 

Definition  2.5  (computation)  Let  II  = 

(■Pn,Tn)  be  a  program.  A  sequence  of  states,  s  = 
(so,  si  •  •  • ),  is  a  computation  of  II  iff  the  following 
three  conditions  are  satisfied:  (1)  sq  £  2in,  (2) 
Vi  >  0  :  (si,Si+i)  G  7n,  and  (3)  if  s  is  finite  and 
terminates  in  state  si  then  there  does  not  exist  state 
s  such  that  (sj,  s)  G  7n.  ■ 

For  a  distributed  program  II  =  ('Pn,Tn),  we  say 
that  a  sequence  of  states,  s  =  (sq;  si  ■  •  •  Sn),  is  a  com¬ 
putation  prefix  of  n  iff  Vj  \  0  <  j  <  n  :  {sj,  Sj+i)  G 
7n  •  We  distinguish  between  a  terminating  com¬ 
putation  and  a  deadlocked  computation.  Precisely, 
when  a  computation  s  terminates  in  state  si,  we  as¬ 
sume  that  the  transition  {si,si)  appears  in  transi¬ 
tion  predicate  of  some  process  in  Vn-,  i-e.,  s  can  be 
extended  to  an  infinite  computation  by  stuttering  at 
si-  On  the  other  hand,  if  there  exists  a  state  Sd  such 
that  an  outgoing  transition  (or  a  self-loop)  from  Sd 
appears  in  transition  predicate  of  no  process  in  Vn 
then  Sd  is  a  deadlock  state  and  a  computation  of  II 


that  reaches  Sd  is  a  deadlocked  computation.  Clearly, 
such  computations  cannot  be  extended  to  an  infinite 
computation. 

2.2  UNITY  Properties 

We  now  present  the  formal  definitions  for  the  Unity 
properties  introduced  by  Chandy  and  Misra  [7]. 
Unity  properties  are  categorized  by  two  classes  of 
safety  and  progress  properties.  These  properties  are 
defined  next. 

Definition  2.6  (UNITY  safety  properties) 

Let  P  and  Q  be  arbitrary  state  predicates. 

•  (Unless)  An  infinite  sequence  of  states  s  = 
(so,  Si  •  •  • )  satisfies  ‘P  unless  Q’  iff  Vi  >  0  :  (sj  G 
(P  n -iQ))  ^  (si+i  G  {PUQ)).  Intuitively,  if 
P  holds  in  a  state  of  s  then  either  (1)  Q  never 
holds  in  s  and  P  is  continuously  true,  or  (2) 
Q  becomes  true  and  P  holds  at  least  until  Q 
becomes  true. 

•  (Stable)  An  infinite  sequence  of  states  s  = 
{so,si---)  satisfies  ‘stable  P’  iff  s  satisfies  P 
unless  false.  Intuitively,  P  is  stable  iff  once  it 
becomes  true,  it  remains  true  forever. 

•  (Invariant)  An  infinite  sequence  of  states  s  = 
{sq,  Si  •  •  • )  satisfies  ‘invariant  P’  iff  sq  G  P  and  s 
satisfies  stable  P.  An  invariant  property  always 
holds.  I 

Definition  2.7  (UNITY  progress  properties) 

Let  P  and  Q  be  arbitrary  state  predicates. 

•  (Leads-to)  An  infinite  sequence  of  states  s  = 
(so,si---)  satisfies  ‘P  leads-to  Q’  iff  (Vi  >  0  : 
(sj  G  P)  =>  (3j  >  i  :  Sj  €  Q)).  In  other  words, 
if  P  holds  in  a  state  Sj,  i  >  0,  of  s  then  there 
exists  a  state  Sj  ms,i<j,  such  that  Q  holds. 

•  (Ensures)  An  infinite  sequence  of  states  s  = 
{so,  Si  •  •  • )  satisfies  ‘P  ensures  Q’  iff  (I)  if  Pn^Q 
is  true  in  a  state  Sj,  i  >  0,  then  (1)  Si+i  G 
(P  U  Q),  and  (2)  3j  >  i  :  Sj  G  Q.  In  other 
words,  there  exists  a  state  Sj  where  Q  even¬ 
tually  becomes  true  in  sj  and  P  remains  true 
everywhere  in  between  Si  and  sj.  I 

We  now  define  what  it  means  for  a  program  to 
refine  a  Unity  property.  Note  that  throughout  this 
paper,  we  assume  that  a  program  and  its  properties 
have  identical  state  space. 
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Definition  2.8  (refines)  Let  IT  =  {Pt\_,Ti\)  be  a 
program  and  £  be  a  Unity  property.  We  say  that 
n  refines  L  iff  all  computations  of  If  are  infinite  and 
satisfy  C.  I 

Definition  2.9  (specification)  A  Unity  specifi¬ 
cation  S  is  the  conjunction  ^^=1  where  each  Ci  is 
a  Unity  safety  or  progress  property.  I 

One  can  easily  extend  the  notion  of  refinement  to 
Unity  specifications  as  follows.  Given  a  program 
n  and  a  specification  S  =  AILi  ^ 

rehnes  U  iff  for  alH,  1  <  f  <  n,  If  refines  Ci. 
Concise  representation  of  safety  properties. 
Notice  that  the  Unity  safety  properties  can  be  char¬ 
acterized  in  terms  of  a  set  of  bad  transitions  that 
should  never  occur  in  a  program  computation.  For 
example,  stable  P  requires  that  a  transition,  say 
(so,'Si),  where  sq  G  P  and  si  ^  P,  should  never 
occur  in  any  computation  of  a  program  that  refines 
stable  P.  Hence,  for  simplicity,  in  this  paper,  when 
dealing  with  safety  Unity  properties  of  a  program 
n  =  we  assume  that  they  are  represented 

by  a  transition  predicate  H  C  5n  x  5n  whose  tran¬ 
sitions  should  never  occur  in  any  computation. 

3  Problem  Statement 

Given  are  a  program  H  =  ('Pn^^n)  and  a  (new) 
Unity  specification  Our  goal  is  to  devise  an  au¬ 
tomated  method  which  revises  H  so  that  the  revised 
program  (denoted  H'  =  (1)  refines  S„, 

and  (2)  continues  rehning  its  existing  Unity  speci- 
hcation  Sg,  where  Sg  is  unknown.  Thus,  during  the 
revision,  we  only  want  to  reuse  the  correctness  of  H 
with  respect  to  Eg  so  that  the  correctness  of  H'  with 
respect  to  Eg  is  derived  from  ‘H  refines  Eg’. 

Intuitively,  in  order  to  ensure  that  the  revised  pro¬ 
gram  continues  refining  the  existing  specification 
Ee,  we  constrain  the  revision  problem  so  that  the  set 
of  computations  of  H'  is  a  subset  of  the  set  of  com¬ 
putations  of  n.  In  this  sense,  since  Unity  properties 
are  not  existentially  quantified  (unlike  in  Ctl),  we 
are  guaranteed  that  all  computations  of  H'  satisfy 
the  Unity  properties  that  participate  in  Eg. 

Now,  we  formally  identify  constraints  on  5n',  Tnq 
and  7n/.  Observe  that  if  5n'  contains  states  that 
are  not  in  5n,  there  is  no  guarantee  that  the  cor¬ 
rectness  of  n  with  respect  to  Eg  can  be  reused  to 
ensure  that  H'  refines  Eg.  Also,  since  5n  denotes 
the  set  of  all  states  (not  just  reachable  states)  of  H, 
removing  states  from  5n  is  not  advantageous.  Like¬ 
wise,  Tn'  should  not  have  any  states  that  were  not 


there  in  lu-  Moreover,  since  Xn  denotes  the  set  of 
all  initial  states  of  H,  we  should  preserve  them  dur¬ 
ing  the  revision.  Finally,  we  require  that  Xq'  should 
be  a  subset  of  7n.  Note  that  not  all  transitions  of 
7n  may  be  preserved  in  7n'.  Hence,  we  must  ensure 
that  H'  does  not  deadlock.  Based  on  Dehnition  2.9, 
if  (i)  7n/  C  7n,  (ii)  H'  does  not  deadlock,  and  (hi)  H 
refines  Eg,  then  H'  also  refines  Eg.  Thus,  the  revision 
problem  is  formally  defined  as  follows: 

Problem  Statement  3.1  Given  a  program  H  = 
(Pn,Xn)  and  a  Unity  specihcation  E„,  identify 
H'  =  (Pn')2in')  such  that: 

(Cl)  <Sn'  =  5n, 

(C2)  Xn/  =  Xn, 

(C3)  Pn'  C  and 

(C4)  H'  refines  E„.  I 

Note  that  the  requirement  of  deadlock  freedom  is  not 
explicitly  specified  in  the  above  problem  statement, 
as  it  follows  from  ‘H'  rehnes  E„’.  Throughout  the  pa¬ 
per,  we  use  Revision  of  H  with  respect  to  a  specihca¬ 
tion  E„  (or  property  X)’  and  ^addition  of  E„  (respec¬ 
tively,  C)  to  H’  interchangeably.  In  Sections  4  and 
5,  we  present  our  results  on  developing  automated 
methods  that  solve  the  above  revision  problem  with 
respect  to  different  types  of  Unity  properties. 

4  Adding  UNITY  Safety  Proper¬ 
ties  to  Distributed  Programs 

As  mentioned  in  Section  2,  Unity  safety  properties 
can  be  characterized  by  a  transition  predicate,  say  B, 
whose  transitions  should  occur  in  no  computation  of 
a  program.  In  a  centralized  setting  where  programs 
have  no  restrictions  on  reading  and  writing  variables, 
a  program  H  =  ("Pn^Xn)  can  be  easily  revised  with 
respect  to  B  by  simply  (1)  removing  the  transitions 
in  B  from  7n,  and  (2)  making  newly  created  deadlock 
states  unreachable  [8]. 

To  the  contrary,  the  above  approach  is  not  ade¬ 
quate  for  a  distributed  setting,  as  it  is  sound  (i.e.,  it 
constructs  a  correct  program),  but  not  complete  (it 
may  fail  to  hnd  a  solution  while  there  exists  one). 
This  is  due  to  the  issue  of  read  restrictions  in  dis¬ 
tributed  programs,  which  associates  each  transition 
of  a  process  with  a  group  predicate.  This  notion  of 
grouping  makes  the  revision  complex,  since  a  revi¬ 
sion  algorithm  has  to  examine  many  combinations 
to  determine  which  group  of  transitions  must  be  re¬ 
moved  and,  hence,  what  deadlock  states  need  to  be 
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handled.  Indeed,  we  show  that  the  issue  of  read 
restrictions  changes  the  class  of  complexity  of  the 
revision  problem  entirely. 

Instance.  A  distributed  program  11  = 
and  Unity  safety  specification  S„. 

Decision  problem.  Does  there  exist  a  program 
n'  =  such  that  H'  meets  the  constraints 

of  Problem  Statement  3.1  for  the  above  instance? 

We  now  show  that  the  above  decision  problem  is 
NP-complete  by  a  reduction  from  the  well-known 
satisfiability  problem.  The  SAT  problem  is  as  fol¬ 
lows; 

Let  xi,  X2  ■  ■  ■  X]\f  he  propositional  variables. 
Given  a  Boolean  formula  y  =  yN+i  A 
yN+2  ■  ■  •  Vm+Ni  where  each  clause  yj,  N  + 
l<j<M  +  N,issi  disjunction  of  three 
or  more  literals,  does  there  exist  an  assign¬ 
ment  of  truth  values  to  xi,X2  ■  ■  -xn  such 
that  y  is  satisfiable? 

We  note  that  the  unconventional  subscripting  of 
variables  and  clauses  in  the  above  definition  of  the 
SAT  problem  is  deliberately  chosen  to  make  our 
proofs  simpler. 

Theorem  4.1  The  problem  of  adding  a  Unity 
safety  property  to  a  distributed  program  is  NP- 
complete. 

Proof.  Since  showing  membership  to  NP  is 
straightforward,  we  only  need  to  show  that  the  prob¬ 
lem  is  NP-hard.  Towards  this  end,  we  present  a 
polynomial-time  mapping  from  an  instance  of  the 
SAT  problem  to  a  corresponding  instance  of  our  re¬ 
vision  problem.  Thus,  we  construct  11  =  {Vn-,Zji)  as 
follows. 

Variables.  The  set  of  variables  of  program  11  and, 
hence,  its  processes  is  U  =  {tq, ui, T2, us, U4}.  The 
domain  of  these  variables  are  respectively  as  follows; 
{-1,0,1},  {-1,0,1},  {0,1},  {0,1},  {1,2---M  + 
N}U{f  I  (1  <  i  <  N)A{N  +  1  <j<  M  +  N)}.  We 
note  that  j*  in  the  last  set  is  not  an  exponent,  but  a 
denotational  symbol. 

Reachable  states.  The  set  of  reachable  states  in 
our  mapping  are  as  follows; 

•  For  each  propositional  variable  Xi,  1  <  i  <  N , 
in  the  instance  of  the  SAT  problem,  we  in¬ 
troduce  the  following  states  (see  Figure  1-a); 
ai,bi,b[,Ci,c[,di,d[.  We  require  that  states  ai 
and  ajy+i  are  identical. 


•  For  each  clause  yj,  N  1  <  j  <  M  N,  we 
introduce  state  rj. 

•  For  each  clause  yj,  V  -|-  1  <  j  <  M  -\-  N,  and 
variable  Xi  in  clause  yj,  I  <  i  <  N,  we  introduce 
the  following  states;  rji,  Sji,  sP,  tji,  tP. 

Value  assignments.  Assignment  of  values  to 
each  variable  at  each  state  is  shown  in  Figure  1-a 
(denoted  by  <  tq,  ui,  U2,  U3,  U4  >).  This  part  of  our 
mapping  is  the  most  crucial  factor  in  forming  group 
predicates. 

Processes.  Program  11  consists  of  four  processes. 
Formally,  Vn  =  {pi,P2,P3,Pi}-  Transition  predicate 
and  read/ write  restrictions  of  processes  in  Vn  are  as 
follows; 

•  Read/write  restrictions.  The  read/write 
restrictions  of  processes  pi,  P2,  P3,  and  p4  are  as 
follows; 

-  Rpi  =  {to,-U2,T3}  and  Wp^  =  {uq,  ■U2,  ■i;3}. 

-  =  {^^i,^^2,T3}  and  Wp^  =  {ui, ■i;2, ■i;3}. 

-  Rp3  =  {to,ui,T2,T3,U4}  and  Wp^  = 

{vo,Vi,V2,V4}. 

-  Rp^  =  {vQ,vi,V2,V2.,Vi}  and  Wp^  = 

{vQ,Vl,V2.,Vi}. 

•  Transition  predicates.  For  each  proposi¬ 
tional  variable  Xi,  1  <  i  <  N ,  we  include  the 
following  transitions  in  processes  pi,  P2,  Ps,  and 
P4  (see  Figure  1-a); 

-  Tp,  =  {{b',d'^,ibi,Ci)  \l<i<N}. 

-  Tp,  =  {ib',fif),{bi,di)  I  l<i<iV}. 

~  ^3  ~  {(G’ (U)  Q-j-i-i), 

(d',  Oj+i),  {di,  Oj+i)  I  1  <  i  <  N}. 

~  '^PA  =  bi),  {oi,  6')  I  1  <  i  <  N}. 

Moreover,  corresponding  to  each  clause  yj,  N  + 
1  <  /  <  M  -\-  N ,  and  variable  Xj,  1  <  i  <  iV,  in 
clause  yj,  we  include  transition  {rj,rji)  in  Tp^ 
and  the  following; 

—  If  Xi  is  a  literal  in  clause  yj  then  we  include 
transition  {rji,Sji)  in  Tpj,  {sji,tji)  in  Tp^, 
and  {tji,  hi)  in  Tp^. 

—  If  -iXj  is  a  literal  in  clause  yj  then  we  in¬ 
clude  transition  {rji,  si f)  in  Tp^,  {sP,tP)  in 
Tpg,  and  {tP,b{)  in  Tp^. 
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(a)  Mapping  SAT  to  addition  of  Unity  safety  properties.  (b)  The  structure  of  the  revised  program  for  Boolean 

formula  {xi  V  -1X2  V  *3)  A  (a;i  V  *2  V  ->X4),  where  xi  = 
true,  X2  =  false,  X3  =  false,  and  *4  =  false. 


Figure  1:  Reduction  from  the  SAT  problem. 


Note  that  only  for  the  sake  of  illustration,  Fig¬ 
ure  1-a  shows  all  possible  transitions.  However, 
in  order  to  construct  H,  based  on  the  existence 
of  Xi  or  -iXj  in  yj,  we  only  include  a  subset  of 
the  transitions. 

Initial  states.  The  set  Tn  represents  clauses  of  the 
instance  of  the  SAT  problem,  i.e.,  Tn  =  {rj  |  A^-|-l  < 
j  <M  +  N}. 

Safety  property.  Let  P  be  a  state  predicate  that 
contains  all  reachable  states  in  Figure  1-a  except  c* 
and  c'  (i.e.,  Cj,  c'  G  -^P  ).  Thus,  the  properties  stable 
P  and  invariant  P  can  be  characterized  by  the  tran¬ 
sition  predicate  B  =  {(6^,  q),  (6',  c')  |  1  <  i  <  N}. 
Similarly,  let  P  and  Q  be  two  state  predicates  that 
contain  all  reachable  states  in  Figure  1-a  except  c* 
and  c(.  Thus,  the  safety  property  P  unless  Q  can  be 
characterized  by  B  as  well.  In  our  mapping,  we  let 
B  represent  the  safety  specification  for  which  H  has 
to  be  revised. 

Before  we  present  our  reduction  from  the  SAT 
problem  using  the  above  mapping,  we  make  the  fol¬ 
lowing  observations  regarding  the  grouping  of  tran¬ 
sitions  in  different  processes: 

1.  Due  to  inability  of  process  pi  to  read  variable  U4, 
for  alH,  1  <  i  <  N,  transitions  {xji,  sL),  (6',  d'), 
and  {bi,  Ci)  are  grouped  in  pi. 

2.  Due  to  inability  of  process  p2  to  read  variable  U4, 
for  alH,  1  <  i  <  N ,  transitions  {vji,  Sji),  {bi,  di), 
and  (6',  c')  are  grouped  in  p2. 


3.  Transitions  grouped  with  the  rest  of  the  transi¬ 
tions  in  Figure  1-a  are  unreachable  and,  hence, 
are  irrelevant. 

Now,  we  show  that  the  answer  to  the  SAT  problem 
is  affirmative  if  and  only  if  there  exists  a  solution 
to  the  revision  problem.  Thus,  we  distinguish  two 
cases: 

•  (=>)  First,  we  show  that  if  the  given  instance  of 
the  SAT  formula  is  satisfiable  then  there  exists 
a  solution  that  meets  the  requirements  of  the 
revision  decision  problem.  Since  the  SAT  for¬ 
mula  is  satisfiable,  there  exists  an  assignment 
of  truth  values  to  all  variables  Xi,  1  <  i  <  N , 
such  that  each  A^  -|-  1  <  j  <  M  -|-  A^,  is  true. 
Now,  we  identify  a  program  H^,  that  is  obtained 
by  adding  the  safety  property  represented  by  B 
to  program  H  as  follows. 

—  The  state  space  of  H'  consists  of  all  the 
states  of  n,  i.e.,  5n  =  5n'. 

—  The  initial  states  of  H'  consists  of  all  the 
initial  states  of  H,  i.e.,  Xn  =  Tu'- 

—  For  each  variable  Xj,  1  <  i  <  A^,  if  x*  is  true 
then  we  include  the  following  transitions: 
{ai,bi)  in  Tp^,  {bi,di)  in  Tpj,  and  (di,aj+i) 
in  Tpg. 

—  For  each  variable  Xj,  1  <  i  <  A^,  if 
Xi  is  false  then  we  include  the  following 
transitions:(aj,  6')  in  Tp^,  {h{,d'f)  in  Tp^, 
and  (d',ai+i)  in  Tp^. 
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-  For  each  clause  +  1  <  j  <  M  +  N, 

that  contains  literal  Xi,  if  Xi  is  true,  we 
include  the  following  transitions:  {rj,rji) 
in  Tp^,  {rji,Sji)  in  Tp^,  {sji,tji)  in  Tp^,  and 
(tjij  bi)  in  Tp^ . 

—  For  each  clause  yj,  +  1  <  j  <  M  +  N, 
that  contains  literal  -iXj,  if  Xi  is  false,  we 
include  the  following  transitions:  {rj,rji) 
in  Tp^,  irji,s'ji)  in  Tp^,  in  Tpg,  and 

in  Tp^. 

As  an  illustration,  we  show  the  partial  structure 
of  n',  for  the  formula  (xi  V  -1X2  V X3)  A  (xi  Vx2  V 
-1X4),  where  xi  =  true,  X2  =  false,  X3  =  false, 
and  X4  =  false,  in  Figure  1-b.  Notice  that  states 
whose  all  outgoing  and  incoming  transitions  are 
eliminated  are  not  illustrated.  Now,  we  show 
that  n'  meets  the  requirements  of  the  Problems 
Statement  3.1: 

1.  The  first  three  constraints  of  the  decision 
problem  are  trivially  satisfied  by  construc¬ 
tion. 

2.  We  now  show  that  constraint  (74  holds. 
First,  it  is  easy  to  observe  that  by  con¬ 
struction,  there  exist  no  reachable  dead¬ 
lock  states  in  the  revised  program.  Hence, 
if  n  refines  Unity  specification  Sg  then  H' 
refines  Sg  as  well.  Moreover,  if  a  compu¬ 
tation  of  reaches  a  state  bi  for  some  i, 
from  an  initial  state  rj  (i.e.,  Xj  is  true  in 
clause  yj)  then  that  computation  cannot 
violate  safety  since  bad  transition  {bi,Ci) 
is  removed.  This  is  due  to  the  fact  that 
{bi,Ci)  is  grouped  with  transition  (rji,Sj^) 
and  this  transition  is  not  included  in  H', 
as  literal  Xj  is  true  in  yj.  Likewise,  if  a 
computation  of  H'  reaches  a  state  6'  for 
some  i,  from  initial  state  rj  (i.e.,  x*  is  false 
in  clause  yj)  then  that  computation  can¬ 
not  violate  safety  since  transition  {b^,c'f) 
is  removed.  This  is  due  to  the  fact  that 
{b[,c'f)  is  grouped  with  transition  (rji,Sji) 
and  this  transition  is  not  included  in  H',  as 
Xi  is  false.  Thus,  H'  refines 

•  (<^)  Next,  we  show  that  if  there  exists  a  solution 
to  the  revision  problem  for  the  instance  iden¬ 
tified  by  our  mapping  from  the  SAT  problem, 
then  the  given  SAT  formula  is  satisfiable.  Let 


n'  be  the  program  that  is  obtained  by  adding 
the  safety  property  Sjj  to  program  H.  Now,  in 
order  to  obtain  a  solution  for  SAT,  we  proceed 
as  follows.  If  there  exists  a  computation  of  H' 
where  state  bi  is  reachable  then  we  assign  x*  the 
truth  value  true.  Otherwise,  we  assign  the  truth 
value  false. 

We  now  show  that  the  above  truth  assignment 
satisfies  all  clauses.  Let  yj  be  a  clause  for  some 
J,  N  -|-  1  <  j  <  M  -|-  A(,  and  let  rj  be  the  cor¬ 
responding  initial  state  in  Hb  Since  rj  is  an 
initial  state  and  H'  cannot  deadlock,  the  tran¬ 
sition  (rj,rji)  must  be  present  in  H',  for  some 
i,  1  <  i  <  N .  By  the  same  argument,  there 
must  exist  some  transition  that  originates  from 
rji.  This  transition  terminates  in  either  sji  or 
s',,.  Observe  that  H'  cannot  have  both  tran- 

J  ^ 

sitions,  as  grouping  of  transitions  will  include 
both  {hi,  Ci)  and  {b'i,c'f}  which  in  turn  causes  vi¬ 
olation  of  safety  by  Hb  Now,  if  the  transition 
from  rji  terminates  in  Sji,  then  clause  yj  con¬ 
tains  literal  x*  and  Xj  is  assigned  the  truth  value 
true.  Hence,  yj  evaluates  to  true.  Likewise,  if 
the  transition  from  rji  terminates  in  then 
clause  yj  contains  literal  -ix*  and  x*  is  assigned 
the  truth  value  false.  Hence,  yj  evaluates  to 
true.  Therefore,  the  assignment  of  values  con¬ 
sidered  above  is  a  satisfying  truth  assignment 
for  the  given  SAT  formula.  I 

5  Adding  UNITY  Progress  Prop¬ 
erties  to  Distributed  Programs 

This  section  is  organized  as  follows.  In  Subsection 
5.1,  we  show  that  adding  a  Unity  progress  property 
to  a  distributed  program  is  NP-complete.  Then,  in 
Subsection  5.2,  we  present  a  symbolic  heuristic  for 
adding  a  leads-to  property  to  a  distributed  program. 

5.1  Complexity 

In  a  centralized  setting,  where  programs  have  no 
restriction  on  reading  and  writing  variables,  a  pro¬ 
gram,  say  H  =  ('Pn)lln),  can  be  easily  revised  with 
respect  to  a  progress  property  by  simply  (1)  break¬ 
ing  non-progress  cycles  that  prevent  a  program  to 
eventually  reach  a  desirable  state  predicate,  and  (2) 
removing  deadlock  states  [8].  To  the  contrary,  in  a 
distributed  setting,  due  to  the  issue  of  grouping,  it 
matters  which  transition  (and  as  a  result  its  corre¬ 
sponding  group)  is  removed  to  break  a  non-progress 
cycle. 
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Legend 


Qi  =  <\,  1,-/,  1,0> 


a,  =  <1,0, 


Q\ 


(a)  Mapping  SAT  to  addition  of  a  leads-to  property.  (b)  The  structure  of  the  revised  program  for  Boolean  formula 

(*1  V  -^X2  V  *3)  A  (*1  V  a;2  V  -1*4),  where  Xi  =  true,  X2  =  false, 
X3  =  false,  and  X4  =  false. 


Figure  2:  Reduction  from  the  SAT  problem. 


Instance.  A  distributed  program  11  =  {'Put^u) 
and  Unity  progress  property  S„. 

Decision  problem.  Does  there  exist  a  program 
n'  =  {Vu',Iu')  such  that  H'  meets  the  constraints 
of  Problem  Statement  3.1  for  the  above  instance? 

Theorem  5.1  The  problem  of  adding  a  Unity 
progress  property  to  a  distributed  program  is  NP- 
eomplete. 

Proof.  Since  showing  membership  to  NP  is 
straightforward,  we  only  show  that  the  problem  is 
NP-hard  by  a  reduction  from  the  SAT  problem. 
First,  we  present  a  polynomial-time  mapping. 
Variables.  The  set  of  variables  of  program  11 
and,  hence,  its  processes  is  U  =  {uq,  ui,  U2,  U3,  U4}. 
The  domain  of  these  variables  are  respectively  as 
follows:  {0, 1},  {0, 1},  {1,  2  •  •  •  M  +  V}  U  {f  \  (1  < 
i<N)/\{N  +  l<j  <  M  +  N)},  {—1, 0, 1},  and 
{-1,0,1}. 

Reachable  states.  The  set  of  reachable  states  in 
our  mapping  are  as  follows: 

•  For  each  propositional  variable  Xi,  1  <  i  <  N , 
we  introduce  the  following  states  (see  Figure  2- 
a):  Uj,  a',  bi,  b[,  Ci,  c',  di,  d[,  Qi,  and  Q[. 

•  For  each  clause  yj,  N  1  <  j  <  M  +  N,  we 
introduce  state  rj. 

•  For  each  clause  yj,  V  +  1  <  j  <  M  +  N,  and 
Xi,  1  <  i  <  N,  in  clause  yj,  we  introduce  states 
rji,  Sji,  and  sP. 


Value  assignments.  Assignment  of  values  to 
each  variable  at  each  state  is  shown  in  Figure  2-a 
(denoted  by  <  uq, ui, U2, U3, U4  >). 

Processes.  Program  11  consists  of  four  processes. 
Formally,  Pn  =  {pi,P2,P3,Pi}-  Transition  predicate 
and  read/ write  restrictions  of  processes  in  Vn  are  as 
follows: 

•  Read/write  restrictions.  The  read/write 
restrictions  of  processes  pi,  P2,  Ps,  and  p4  are  as 
follows: 

-  Rpi  =  {uo,ui,U3}  and  Wp^  =  {uo, ui, us}. 

-  Rp2  =  {to,ti,U4}  and  Wp^  =  {uo,ui,U4}. 

-  Rp3  =  {uo,ui,U2,U3,U4}  and  lUpg  = 

{vo,V2,V3,Va}. 

-  Rp^  =  {vo,vi,V2,V3,va]  and  Wp^  = 

{vi,V2,V3,Vi}. 

•  Transition  predicates.  For  each  proposi¬ 
tional  variable  Xi,  1  <  i  <  N ,  we  include  the 
following  transitions  in  processes  pi,  P2,  Ps,  and 
P4  (see  Figure  2-a): 

-  Tp,  =  {{b',c'^,ibi,Qi)  I  l<i<iV}. 

-  Tp,  =  {ib„Ci),ib',Q'^\l<i<N}. 

~  ~  {aj^,bf) ,  {ci,  di),  df), 

iQuQ^),{Q'vQ'i)  I  i<i<iv}. 

-  Tp,  =  {{d'„h),idi,b'd)\l<i<N}. 


Moreover,  corresponding  to  each  clause  N  + 
1  <  J  <  +  -/V,  and  variable  Xi,  1  <  i  <  N ,  in 

clause  Uj,  we  include  transition  {rj,rji)  in  Tp^ 
and  the  following: 

—  If  Xi  is  a  literal  in  clause  yj  then  we  include 
transition  (rji,  sji)  in  and  {sji,ai)  in 
T 

-tp4- 

—  If  -iXj  is  a  literal  in  clause  yj  then  we  in¬ 
clude  transition  {rji,  s'-J  in  Tp^  and  (s'  j, 
in  Tp^. 

Note  that  for  the  sake  of  illustration  Figure  2-a 
shows  all  possible  transitions.  However,  in  order 
to  construct  H,  based  on  the  existence  of  x*  or 
-iXj  in  yj,  we  only  include  a  subset  of  transitions. 

Initial  states.  The  set  Tn  of  H  is  the  set  of  states 
that  represent  clauses  of  the  boolean  formula  in  the 
instance  of  SAT,  i.e.,  In  =  {rj  \  A^-|-l  <  j  <  M+N}. 
Progress  property.  In  our  mapping,  the  de¬ 
sirable  progress  property  is  of  the  form  =  {true 
leads-to  Q),  where  Q  =  {Qi,Q'i  |  1  <  i  <  N}  (see 
Figure  2-a).  Observe  that  is  a  leads-to  as  well  as 
an  ensures  property.  This  property  in  Linear  Tem¬ 
poral  Logic  (Ltl)  is  denoted  by  DOQ  (called  always 
eventually  Q). 

Before  we  present  our  reduction  from  the  SAT 
problem  using  the  above  mapping,  we  make  the  fol¬ 
lowing  observations  regarding  the  grouping  of  tran¬ 
sitions  in  different  processes: 

1.  Due  to  inability  of  process  pi  to  read  variable 
V2,  for  all  i,  1  <  i  <  N,  transitions  {rji,s'jj), 
(6',c(),  and  {hi,Qi)  are  grouped  in  process  pi. 

2.  Due  to  inability  of  process  p2  to  read  variable 
V2,  for  all  i,  1  <  i  <  N,  transitions  {rji,Sji), 
{bi,Ci),  and  {b{,Q^)  are  grouped  in  process  p2- 

3.  Transitions  grouped  with  the  rest  of  the  transi¬ 
tions  in  Figure  2-a  are  unreachable  and,  hence, 
are  irrelevant. 

We  distinguish  the  following  two  cases  for  reducing 
the  SAT  problem  to  our  revision  problem  : 

•  (=^)  First,  we  show  that  if  the  given  instance  of 
the  SAT  formula  is  satisfiable  then  there  exists 
a  solution  that  meets  the  requirements  of  the  re¬ 
vision  decision  problem.  Since  the  SAT  formula 
is  satisfiable,  there  exists  an  assignment  of  truth 


values  to  all  variables  Xj,  1  <  i  <  N ,  such  that 
each  yj,  N  +  1  <  j  <  M  +  N,  is  true.  Now, 
we  identify  a  program  H',  that  is  obtained  by 
adding  the  progress  property  DOQ  to  program 
n  as  follows. 

—  The  state  space  of  H'  consists  of  all  the 
states  of  n,  i.e.,  5n  =  5n'. 

—  The  initial  states  of  H'  consists  of  all  the 
initial  states  of  H,  i.e..  In  =  In'- 

—  For  each  variable  Xj,  1  <  i  <  A^,  if  x*  is  true 
then  we  include  the  following  transitions: 
{ai,bi),  {ci,di),  and  (Q',Q')  in  Tp^,  {bi,Ci) 
and  {b{,Q{)  in  Tp^,  and,  {di,b{)  in  Tp^. 

—  For  each  variable  Xj,  1  <  i  <  iV,  if  x*  is 
false  then  we  include  the  following  transi¬ 
tions:  (a',  6'),  {c{,d'i},  and  {Qi,Qi)  in  Tpg, 
(6',c')  and  {bi,Qi)  in  Tp^,  and,  {d[,bi)  in 

Tpi- 

—  For  each  clause  yj,  N  +  1  <  j  <  M  +  N, 
that  contains  literal  Xj,  if  Xj  is  true,  we 
include  transition  {rj,rji)  in  Tp^,  {rji,Sji) 
in  rp2,  and,  {sji,ai)  in  Tp^. 

—  For  each  clause  yj,  N  +  1  <  j  <  M  +  N, 
that  contains  literal  -iXj,  if  x*  is  false,  we 
include  transition  {rj,rji)  in  Tp^,  {rji,s'jf} 
in  Tpi,  and,  {s'ji,a[)  in  Tp^. 

As  an  illustration,  we  show  the  partial  structure 
of  n',  for  the  formula  (xi  V  -1X2  V  X3)  A  (xi  V  X2  V 
-'X4),  where  xi  =  true,  X2  =  false,  X3  =  false, 
and  X4  =  false  in  Figure  2-b.  Notice  that  states 
whose  all  outgoing  and  incoming  transitions  are 
eliminated  are  not  illustrated.  Now,  we  show 
that  n'  meets  the  requirements  of  the  Problems 
Statement  3.1: 

1.  The  first  three  constraints  of  the  decision 
problem  are  trivially  satisfied  by  construc¬ 
tion. 

2.  We  now  show  that  constraint  (74  holds. 
First,  it  is  easy  to  observe  that  by  con¬ 
struction,  there  exist  no  reachable  dead¬ 
lock  states  in  the  revised  program.  Hence, 
if  H  refines  Unity  specification  Eg  then 
H'  refines  Eg  as  well.  Moreover,  by  con¬ 
struction,  all  computations  of  H'  eventu¬ 
ally  reach  either  Qi  or  Q{  and  will  stutter 
there.  This  is  due  to  the  fact  that  if  lit¬ 
eral  Xi  is  true  in  clause  yj  then  transition 
{rji,  s'jf)  is  not  included  in  H'  and,  hence. 
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its  group-mates  {h^,c^)  and  {hi,Qi)  are  not 
in  7n'  as  well.  Consequently,  a  computa¬ 
tion  that  starts  from  Vj  eventually  reaches 
Q[.  Likewise,  if  literal  ^Xi  is  false  in  clause 
Uj  then  transition  (rji,Sji)  is  not  included 
in  n'  and,  hence,  its  group-mates 
and  are  not  in  Tn'  as  well.  Con¬ 

sequently,  a  computation  that  starts  from 
Vj  eventually  reaches  Qi.  Hence,  H'  refines 


•  (<^)  Next,  we  show  that  if  there  exists  a  solution 
to  the  revision  problem  for  the  instance  iden¬ 
tified  by  our  mapping  from  the  SAT  problem, 
then  the  given  SAT  formula  is  satisfiable.  Let 
n'  be  the  program  that  is  obtained  by  adding 
the  progress  property  in  =  DOQ  to  program 
n.  Now,  in  order  to  obtain  a  solution  for  SAT, 
we  proceed  as  follows.  If  there  exists  a  compu¬ 
tation  of  n'  where  state  a*  is  reachable  then  we 
assign  Xi  the  truth  value  true.  Otherwise,  we 
assign  the  truth  value  false. 

We  now  show  that  the  above  truth  assignment 
satisfies  all  clauses.  Let  yj  be  a  clause  for  some 
j,  N  +  1  <  j  <  M  +  N ,  and  let  rj  be  the  corre¬ 
sponding  initial  state  in  H'.  Since  rj  is  an  ini¬ 
tial  state  and  H'  cannot  deadlock,  the  transition 
{rj,rji)  must  be  present  in  H',  for  some  i,  1  < 
i  <  N.  By  the  same  argument,  there  must  exist 
some  transition  that  originates  from  rji.  This 
transition  terminates  in  either  Sji  or  sC,  Ob¬ 
serve  that  n'  cannot  have  both  transitions,  as 
grouping  of  transitions  will  include  transitions 
(6j,  Cj)  and  (6',  c'f).  If  this  is  the  case,  H'  does  not 
rehne  the  property  DOQ  due  to  the  existence  of 
cycle  bi  ^  Ci  ^  di  ^  b[  ^  bi.  Thus, 

there  can  be  one  and  only  one  outgoing  transi¬ 
tion  from  rji  in  Hh  Now,  if  the  transition  from 
rji  terminates  in  Sji,  then  clause  yj  contains  lit¬ 
eral  Xi  and  Xi  is  assigned  the  truth  value  true. 
Hence,  yj  evaluates  to  true.  Likewise,  if  the 
transition  from  rji  terminates  in  s'j^  then  clause 
yj  contains  literal  ^Xi  and  Xi  is  assigned  the 
truth  value  false.  Hence,  yj  evaluates  to  true. 
Therefore,  the  assignment  of  values  considered 
above  is  a  satisfying  truth  assignment  for  the 
given  SAT  formula.  I 


5.2  A  Symbolic  Heuristic  for  Adding 
Leads- To  Properties 

We  now  present  a  BDD-based  heuristic  for  adding 
leads-to  properties  to  distributed  programs  due  to 
its  interesting  applications  in  automated  addition  of 
recovery  for  synthesizing  fault-tolerant  distributed 
programs. 

The  NP-hardness  reduction  presented  in  the  proof 
of  Theorem  5.1  precisely  shows  where  the  complex¬ 
ity  of  the  problem  lies  in.  Indeed,  Figure  2-a  shows 
that  transition  {bi,Ci)  (respectively,  (6',c')),  which 
can  potentially  be  removed  to  break  the  non-progress 
cycle  bi  ^  Ci  ^  di  ^  b[  —>  c[  ^  d[  ^  bi  is 
grouped  with  the  critical  transition  {rji,  Sji)  (respec¬ 
tively,  {rji,s'jf))  which  ensures  state  rji  and  conse¬ 
quently  initial  state  rj  are  not  deadlock  states.  Thus, 
a  heuristic  that  adds  a  leads-to  property  to  a  dis¬ 
tributed  program  needs  to  address  this  issue. 

Our  heuristic  works  as  follows  (cf.  Figure  3-a). 
The  Algorithm  Add.LeadsTo  takes  a  distributed  pro¬ 
gram  H  =  {Vu,Iu)  and  a  property  P  leads-to  Q  as 
input,  where  P  and  Q  are  two  arbitrary  state  predi¬ 
cates  in  the  state  space  of  H.  The  algorithm  (if  suc¬ 
cessful)  returns  transition  predicate  of  the  derived 
program  H'  =  ('Pn'j^Tn')  that  refines  P  leads-to  Q 
as  output.  In  order  to  transform  H  to  H',  first,  the 
algorithm  ranks  states  that  can  be  reached  from  P 
based  on  the  length  of  their  shortest  path  to  Q  (Line 
2).  Then,  it  attempts  to  break  non-progress  cycles 
(Lines  3-13).  To  this  end,  it  hrst  computes  the  set  of 
cycles  that  are  reachable  from  P  (Line  4) .  This  com¬ 
putation  can  be  accomplished  using  any  BDD-based 
cycle  detection  algorithm.  We  apply  the  Emerson- 
Lie  method  [10].  Then,  the  algorithm  removes  tran¬ 
sitions  that  participate  in  a  cycle  and  whose  rank 
of  source  state  is  less  than  or  equal  to  the  rank  of 
destination  state  (Lines  6-10).  However,  since  re¬ 
moval  of  a  transition  must  take  place  with  its  entire 
group  predicate,  we  do  not  remove  a  transition  that 
causes  creation  of  deadlock  states  in  Q.  Instead, 
we  make  the  corresponding  cycle  unreachable  (Line 
8).  This  can  be  done  by  simply  removing  transitions 
that  terminate  in  a  state  on  the  cycle.  Thus,  if  re¬ 
moval  of  a  group  of  transitions  does  not  create  new 
deadlock  states  in  Q,  the  algorithm  removes  them 
(Line  10).  Finally,  since  removal  of  transitions  may 
create  deadlock  states  outside  Q  but  reachable  from 
P,  we  need  to  eliminate  those  deadlock  states  (Line 
15).  Such  elimination  can  be  accomplished  using  the 
BDD-based  method  proposed  in  [5]. 
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Algorithm  1  Add_LeadsTo 

Input:  A  distributed  program  11  =  ('Pn?^n)  and  property  P  leads-to  Q. 
Output:  If  successful,  transition  predicate  Tjii  of  the  new  program. 

1:  repeat 

2:  Let  Rank[i]  contain  the  state  predicate  whose  length  of  shortest  path 

to  Q  is  i,  where  Rank[0]  =  Q  and  Rank[oo]  =  the  state  predicate  that 
is  reachable  from  P,  but  cannot  reach  Q; 

3:  for  all  i  and  j  do 

4:  C  ;=  ComputeCycles(7n, 

5:  if  {i  <  j)  A  (i  7^  0)  A  {i  ^  00}  then 

6:  tmp  :=  Group{{C  A  Rank[i])  A  {C  A  Rank[j])'); 

7:  if  removal  of  tmp  from  7n  eliminates  a  state  from  Q  then 

8:  Make  {C  A  tmp)  unreachable 

9:  else 

10:  7n  :=  Tu  —  tmp; 

11:  end  if 

12:  end  if 

13:  end  for 

14:  until  Rank[oc]  =  {} 

15:  Pyi'  :=  EliminateDeadlockStates(P,  Q,  (Pni^Tn)); 

16:  return  TnA 
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Figure  3;  Adding  leads-to  property  to  distributed  programs. 


Given  0{rA)  complexity  of  the  cycle  detection  al¬ 
gorithm  [10],  it  is  straightforward  to  observe  that 
the  complexity  of  our  heuristic  is  O(n^),  where  n  is 
the  size  of  state  space  of  11.  In  order  to  evaluate  the 
performance  of  our  heuristic,  we  have  implemented 
the  Algorithm  Add_LeadsTo  in  our  tool  Sycraft  [6]. 
This  heuristic  can  be  used  for  adding  recovery  in  or¬ 
der  to  synthesize  fault-tolerant  distributed  programs 
by  performing  the  following  two  steps.  First,  we 
add  all  possible  transitions  that  start  from  fault-span 
predicate  T  (i.e.,  set  of  all  reachable  states  in  the 
presence  of  faults)  and  end  in  T.  Then,  we  apply  the 
Algorithm  Add.LeadsTo  for  property  (T  —  S)  leads- 
to  S,  where  5  is  a  set  of  legitimate  states  (i.e.,  an 
invariant  predicate). 

Figure  3-b  illustrates  experimental  results  of  our 
heuristic  for  adding  such  recovery.  All  experiments 
are  run  on  a  PC  with  a  2.8GHz  Intel  Xeon  pro¬ 
cessor  and  1.2GB  RAM.  The  BDD  representation 
of  the  Boolean  formulae  has  been  done  using  the 
Glu/CUDD  package  [18].  Our  experiments  tar¬ 
get  addition  of  recovery  two  well-known  problems 
in  fault-tolerant  distributed  computing,  namely,  the 
Byzantine  agreement  problem  [14]  (denote  BA^)  and 
the  token  ring  problem  [2]  (denoted  TR^),  where  i  is 
the  number  of  processes.  Figure  3-b  shows  the  size 
of  reachable  states  in  the  presence  of  faults,  memory 
usage,  total  time  spent  to  add  the  desirable  leads-to 
property,  time  spent  for  cycle  detection  (i.e.,  Line 
4  in  Figure  3-a),  and  time  spent  for  pruning  transi¬ 
tions  that  participate  in  a  cycle.  Given  the  huge  size 


of  state  space  and  complexity  of  structure  of  pro¬ 
grams  in  our  experiments,  we  find  the  experimental 
results  quite  encouraging.  We  note  that  the  reason 
that  TR  and  BA  behave  differently  as  their  number 
of  processes  grow  is  due  to  their  different  structures, 
existing  cycles,  and  number  of  reachable  states.  In 
particular,  the  state  space  of  TR  is  highly  reachable 
and  its  original  program  has  a  cycle  that  includes 
all  of  its  legitimate  states,  which  is  not  the  case  for 
BA.  We  also  note  that  in  case  of  TR,  the  sym¬ 
bolic  heuristic  presented  in  this  subsection  tend  to 
be  slower  than  the  constructive  layered  approach  in¬ 
troduced  in  [5] .  However,  the  approach  in  this  paper 
is  more  general  and  has  a  better  potential  of  success 
than  the  approach  in  [5]. 

6  Related  Work 

The  most  relevant  work  to  this  paper  proposes  auto¬ 
mated  transformation  techniques  for  adding  Unity 
properties  to  centralized  programs  [8].  We  showed 
that  addition  of  multiple  Unity  safety  properties 
along  with  a  single  progress  property  to  a  centralized 
program  can  be  accomplished  in  polynomial-time. 
We  also  showed  that  the  problem  of  simultaneous 
addition  of  two  leads-to  properties  to  a  centralized 
program  is  NP-complete. 

Existing  synthesis  methods  in  the  literature 
mostly  focus  on  deriving  the  synchronization  skele¬ 
ton  of  a  program  from  its  specification  (expressed 
in  terms  of  temporal  logic  expressions  or  finite-state 
automata)  [1,3,4,9,15-17].  Although  such  synthe- 
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sis  methods  may  have  differences  with  respect  to  the 
input  specification  language  and  the  program  model 
that  they  synthesize,  the  general  approach  is  based 
on  the  satisfiability  proof  of  the  specification.  This 
makes  it  difficult  to  provide  reuse  in  the  synthesis 
of  programs;  i.e.,  any  changes  in  the  specification 
require  the  synthesis  to  be  restarted  from  scratch. 

Algorithms  for  automatic  addition  of  fault- 
tolerance  to  distributed  programs  are  studied  from 
different  perspectives  [5,11-13].  These  (enumerative 
and  symbolic)  algorithms  add  fault-tolerance  con¬ 
cerns  to  existing  programs  in  the  presence  of  faults, 
and  guarantee  not  to  add  new  behaviors  to  that  pro¬ 
gram  in  the  absence  of  faults.  Most  problems  in  ad¬ 
dition  of  fault-tolerance  to  distributed  programs  are 
known  to  NP-complete.  Thus,  in  this  paper,  we  find 
it  somewhat  unexpected  that  corresponding  prob¬ 
lems  in  the  absence  of  faults  remain  NP-complete. 

7  Conclusion  and  Future  Work 

In  this  paper,  we  concentrated  on  automated  tech¬ 
niques  for  revising  distributed  programs  with  re¬ 
spect  to  Unity  properties.  We  showed  that  unlike 
centralized  programs  where  multiple  Unity  safety 
properties  along  with  one  progress  property  can  be 
added  in  polynomial-time  [8],  the  problem  is  NP- 
complete  for  distributed  programs.  We  also  intro¬ 
duced  and  implemented  a  BDD-based  heuristic  for 
adding  a  leads-to  property  to  distributed  programs 
in  our  tool  Sycraft  [6].  Our  experiments  show  en¬ 
couraging  results  paving  the  path  for  applying  au¬ 
tomated  techniques  for  deriving  programs  that  are 
eorrect-by-eonstruction  in  practice. 

For  future  work,  we  plan  to  identify  sub-problems 
where  one  can  devise  sound  and  complete  algorithms 
that  add  Unity  properties  to  distributed  programs 
in  polynomial-time.  We  also  plan  to  devise  heuris¬ 
tics  for  adding  other  types  of  Unity  properties  to 
distributed  programs. 
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Appendix 

A  Summary  of  Notations 

V  set  of  variables 
D  domain  of  variables 
s  state 
S  state  space 

Tp  transition  predicate  of  process  p 
Wp  set  of  variables  that  process  p  can  write 
Rp  set  of  variables  that  process  p  can  read 
n  distributed  program 
Vu  processes  of  program  11 
2ji  initial  states  of  program  11 
7n  transition  predicate  of  program  11 
P,  Q  state  predicates 
s  computation 
C  Unity  property 
Se  existing  specification 
new  specification 

B  transition  predicate  that  characterizes  a  safety  Unity  property 
□OQ  always  eventually  Q 
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